40Hex Volume 1 Issue 2 0005 The Dark Avenger --- ---- ------- Part I. The Dark Avenger ------------------------- Introduction: The following text file was sent directly to Professor Vesselin Bontchev in a public sent to an anti-viral board located in Sofia, Bulgaria. Bontchev is one of the leading anti-viral researchers in Europe today. A producer of number of effective anti-viral programs in Bulgaria, his programs are widely used throughout Europe. The Dark Avenger is Bulgaria's most dangerous viral code writer and a heavy metal fanatic - as this message concerning himself, written by him (often referring to himself in third person) reveals: ---------------- DARK AVENGER ============ DARK AVENGER is the pseudonym used by a particularly prolific and malicious Bulgarian virus writer. It is also the name given in the West to some of his earlier viruses. His viruses include: DARK AVENGER V651, V1800, V2000 and V2100 NUMBER OF THE BEAST aka 512 (several versions) ANTHRAX (Infects both files and boot sectors) V800 and its derivatives: 1226, PROUD, EVIL & PHOENIX Some other viruses, e.g. NOMENKLATURA & DIAMOND are in his style but are believed to be the work of others. MURPHY has been strongly influenced by him but is known to be of different authorship. CRAZY EDDIE may also be his. Several 'hacks' are now appearing of V1800, V2100, MURPHY and DIAMOND. ************* more ********** Eddie is the mascot of the British heavy metal group, Iron Maiden (hence 'up the irons'). It is a 20 foot high skeleton that appears on stage with them and is featured on the sleeves of all their albums. Anthrax and Damage Inc are other heavy metal groups whose names have been featured in some Dark Avenger viruses. Iron Maiden numbers have also been mentioned including 'Somewhere in Time', 'Only the Good Die Young' and 'Number of the Beast'. ************** more ********** Unusually, this virus writer has also produced a virus removal program together with a version log of his EDDIE series, as reproduced below with its original spelling and grammar. "DOCTOR QUICK! Virus Doctor for the Eddie Virus Version 2.01 10-31-89 Copyright (c) 1988-89 Dark Avenger. All rights reserved. DOCTOR /? for help It may be of interest to you to know that Eddie (also known as "Dark Avenger") is the most widespread virus in Bulgaria for the time being. However I have information that Eddie is well known in the USA, West Germany and USSR too. I started in writing the virus in early September 1988. In those times there were no any viruses in Bulgaria, so I decided to write the first Bulgarian virus. There were some different Eddie's versions: VERSION 1.1, 16-DEC-1988 In December I've decided to enhance the virus. This version could infect files during their opening. For that reason, a read buffer was allocated in high end of memory, rather than using DOS function 48h when needed. The disk was destroyed instead of the infected files. VERSION 1.2, 19-DEC-1988 This added a new feature that causes (for example) compiled programs to be infected at once if the virus is resident. Also, the "Eddie lives..." message was added (can you guess why exactly "Eddie"?) VERSION 1.31, 3-JAN-1989 This became the most common version of Eddie. A code was added to find the INT 13 rom-vector on many popular XT's and AT's. Also, other messages were added so its length would be exactly 1800 bytes. There was a subsequent, 1.32 version (19-JAN-1989), which added self-checksum and other interesting features that was abandoned because it was extremely buggy. In early March 1989 version 1.31 was called into existence and started to live its own life to all engineers' and other suckers' terror. And, the last VERSION 1.4, 17-OCT-1989 This was a bugfix for version 1.31, and added some interesting new features. Support has been added for DOS 2.x and DOS 4.x. For further information about this (the most terrible) version, and to learn how to find out a program author by its code, or why virus-writers are still not dead, contact Mr. Vesselin Bontchev (All Rights Reserved). So, never say die! Eddie lives on and on and on... Up the irons!" NOTE: Vesselin Bontchev, who the Dark Avenger is trying to discredit, is a leading virus researcher at the Bulgarian Academy of Sciences. Post Note: There is a rumor concerning the fact that RABID now has the Dark Avenger on their staff of virus writers, and that the new Dark Avenger variant released by them was, in fact, written by him. This has yet to be proven. The more acceptable belief concerning this new strain is that RABID simply picked up the source code for Dark Avenger, released last December, and modified it. Part II - Dark Avenger - Strain A ----------------------- Vesselin Bontchev reports in May 1990: The Dark Avenger virus. ====================== - I found two new mutations of this virus. Well, maybe "mutations" is not the correct word. In the first of them, the first 16 characters of the string "Eddie lives... somewhere in time!" were replaced with blanks. In the second example, all strings (the message above, the copyright message and the "Diana P." string) were replaced with blanks. - The author of the Dark Avenger virus (The bastard! I still cannot determine who he is.) has released the source code of his virus. It is full with ironic comments about me. Of course, now we have to expect lots of new, similar viruses to appear. At least, this leaded to one good thing - the source helped me very much in disassembling the V2000 virus. - I received a rather offensive anonymous letter from this person. In it he claims to be also the author of both the V2000 (I trust this) and the Number of the Beast viruses (the latter is unlikely). [See Above] Information About the Dark Avenger Virus, courtesy of "Virus Bulletin Ltd," Buckinghamshire, England. Note: This information is far more valuable than the standard Virus Summary by Patricia Hoffman. Her entry concerning DA fails to go into more depth about the Dark Avenger virus and apparently she has yet to receive information of the different versions of DA. Such information is already a year old, but she has yet to include it. Entry...............: Dark Avenger Alias(es)...........: --- Virus Strain........: Dark Avenger Virus detected when.: November 1989 where.: USA Classification......: February 1990 Length of Virus.....: about 1800 Bytes --------------------- Preconditions ----------------------------------- Operating System(s).: DOS Version/Release.....: Computer model(s)...: IBM-compatible --------------------- Attributes -------------------------------------- Easy Identification.: Two Texts: "Eddie lives...somewhere in time" at beginning and "This Program was written in the City of Sofia (C) 1988-89 Dark Avenger" near end of file Type of infection...: Link-virus COM-files: appends to the program and installs a short jump EXE-files: appends to the program at the beginning of the next paragraph Infection Trigger...: COM and EXE files are corrupted on any read attempt even when VIEWING!!! Storage media affected: Any Drive Interrupts hooked...: Int 21 DOS-services Int 27 Terminate and Stay Resident Damage..............: Overwrites a random sector with bootblock Damage Trigger......: each 16th infection; counter located in Bootblock Particularities.....: - Similarities........: - --------------------- Agents ------------------------------------------ Countermeasures.....: NONE! All data can be destroyed !!!! There is no way in retrieving lost data. Backups will most probably be destroyed too. Countermeasures successful: install McAfee's SCANRES. Standard means......: Good luck! Hopefully the virus did not destroy too many of your programs and data. --------------------- Acknowledgement --------------------------------- Location............: VTC Uni Hamburg Classification by...: Matthias Jaenichen Documentation by....: Matthias Jaenichen Date................: 31.01.1990 Part III - DARK AVENGER 2000 ================= Date: 02 Feb 90 10:49:00 +0700 From: Vesselin Bontchev This virus is also "made in Bulgaria" and again I am indirectly the cause of its creation. I am a well known "virus-buster" in Bulgaria and my antivirus programs are very widely used. Of course, virus designers didn't like it. So their next creation... causes trouble to my antivirus programs. This virus is exactly 2000 bytes long and I think that it was created by the author of the Eddie (Dark Avenger) virus. The programming style is the same and there are even pieces of code which are the same. The virus acts much like the Eddie one --- it installs resident in memory by manipulating the memory control blocks; infects COMMAND.COM at the first run; infects both .COM- and .EXE-files; infects files when one executes them as well as when one copies them. However, there are some extras added. First, the virus is able to fetch the original INT 13h vector just like the V512 one (by using the same undocumented function --- tricks spread fast between virus programmers). Second, it intercepts the find-first (FCB) and find-next (FCB) functions --- just like V651 (aka EDDIE II) (and contains the same bugs), so you won't see the increased file lengths in the listing displayed by the DIR command. Third, it contains the string "Copyright (C) 1989 by Vesselin Bontchev", so people may think that I am the author of this virus. In fact, the virus searches every program being executed for this string (the case of the letters does not matter) and if found, hangs the system. It is not necessary to tell you that all my antivirus programs contain this string. Of course, now I will have to use some kind of encryption, just to prevent such tricks. Vesselin Bontchev reported in May 1990: The V2000 virus (DARK AVENGER 2000) =================================== - It turned out that the example of this virus I sent to some of the antivirus researchers was not the original version. The original contains the string "Only the Good die young..." instead of the "Copy me - I want to travel" message. Also a small piece of code in the original version was patched to contain the "666" string. (That is, the version you have contains this string, the original does not.) - There exists also a small mutation of the version you have. The only difference is that the `C' character in the word "Copy" was changed to `Z'. - When describing the V2000 virus, I stated that it halts the computer if you run a program which contains the string "Copyright (c) 1989 by Vesselin Bontchev". This is not quite correct. In fact, the programs are only checked for the "Vesselin Bontchev" part of the string. - I obtained John McAfee's program Clean, version 60. In the accompanying documentation he states about the V2000 virus that "The virus is very virulent and has caused system crashes and lost data, as well as causing some systems to become non-bootable after infection". This is not very correct, or at least, there is much more to be said. The virus is exactly as virulent as the Dark Avenger virus, and for the same reason. It infects files not only when one executes them, but also when one reads or copies them. This is achieved exactly in the same manner as in the Dark Avenger. The systems become non-bootable when the virus infects the two hidden files of the operating system - it cannot distinguish them from the regular .COM files. By the way, the Dark Avenger virus often causes the same effect. And at last, but not least (:-)), the virus is highly destructive - just as the Dark Avenger is. It destroys the information on a randomly selected sector on the disk once in every 16 runs of an infected program. The random function is exactly the same, and the counters (0 to 15 and for the last attacked sector) are exactly the same and on the same offsets in the boot sector as with the Dark Avenger virus. The main difference is that the destroyed sector is overwritten not with a part of the virus body, but with the boot sector instead. This makes a bit more difficult to discover which files are destroyed - the boot sector is contained in many "good" programs, such as FORMAT, SYS, NDD. Also, the nastiest thing - the damage function is not performed via INT 26h (which can be intercepted). The virus determines the address of the device driver for the respective disk unit (using an undocumented DOS function call, of course. I begin to wonder if Ralf Brown did any good when he made the information in the INTERxyy file available :-)). Then it performs a direct call to that address. The device driver in DOS does its work and issues the appropriate INT 13h. However the virus has scanned the controllers' ROM space and has determined the original address of the interrupt handler - just as the Dark Avenger virus does. Then it has temporary replaced the INT 13h vector with the address of this handler. The result is that the damage function cannot be intercepted. - Also this virus (unlike Dark Avenger) supports PC-DOS version 4.0 and will work (and infect) under it. - The bytes 84 A8 A0 AD A0 20 8F 2E in the virus body are the name "Diana P.", this time written in cyrillics. Unknown Source